[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <E17mlYm-00006Q-00.2002-09-05-02-35-52@mail18.svr.pol.co.uk>
From: mail at blazde.co.uk (Roland Postle)
Subject: IE 6 XSS
>Ahhh - time to bust out the old Unicode tekniqz...
>
>http://www.ebay.com%25%32%46%40www%2emsn%2ecom/
>http://www.ebay.com%252f%40www%2emsn%2ecom/
>http://www.ebay.com%25%32%46%40%57%57%57%2e%4d%53%4e%2e%43%4f%4d/
Myth. It's not unicode, just URL encoded ISO-Latin. There is currently
no way to put unicode in URLs, don't let that similar looking 'extended
unicode directory traversal' thingy in IIS last year confuse you. That
was just IIS misinterpretting the request. Probably Microsoft trying to
'extend' the standard to include unicode.
And.... I don't see how it's XSS either.
And.... it's not tekniqz, it's techniques :D
- Blazde
Powered by blists - more mailing lists